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AMENDMENTS TO THE CLAIMS 

(Currently Amended) A method for controlling access to a resource, the method 
comprising the steps of: 

creating and storing in th e Op e rating Syst e m afilesystem of an Operating System a 
file that represents the resource; 

receiving user-identifying information from a user requesting access to the resource, 
wherein the user-identifying information comprises a role associated with the 
user, wherein the role is determined from a user identifier uniquely associated 
with the user and from a group identifier associated with a group that includes 
the user; 

receiving a resource identifier associated with the resource; 

creating an access identifier based on the user-identifying information and the 

resource identifier, wherein the access identifier is formatted as a file attribute 

that is used by the Operating System to manage file access; 
calling the Operating System to perform an operation on the file using the access 

identifier to gain access to the file; and 
granting the user access to the resource only if the Operating System call successfully 

performs the operation. 

(Original) A method as recited in Claim 1, wherein the access identifier comprises: 
a first set of bits for storing a role identifier, wherein the role identifier is associated 

with the role; and 
a second set of bits for storing the resource identifier. 

(Original) A method as recited in Claim 1, wherein: 

the step of creating an access identifier based on the user-identifying information and 
the resource identifier comprises formatting the access identifier as a group 
identifier file attribute; and 
the step of calling the Operating System to perform an operation on the file 
representing the resource comprises: 

assigning the access identifier to a group identifier attribute of an 
Operating System process; and 
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calling an Operating System routine from the Operating System 

process to perform the operation on the file representing the 
resource. 

4. (Original) A method as recited in Claim 1, wherein the step of calling the Operating 
System to perform an operation on the file representing the resource comprises 
comparing the access identifier to an identifier included in an Access Control List file 
attribute associated with the file representing the resource, wherein the Access 
Control List file attribute includes the identifiers of all users and all groups of users 
allowed to access the file representing the resource. 

5. (Original) A method as recited in Claim 1, wherein the operation on the file 
representing the resource is selected from a group consisting of opening the file, 
closing the file, deleting the file, reading from the file, writing to the file, executing 
the file, appending to the file, reading a file attribute, and writing a file attribute. 

6. (Currently Amended) A method as recited in Claim 1 , the method further comprising 
the steps of: 

reading a permission bit associated with the file representing the resource, wherein 

the permission bit corresponds to [[a file]] the operation performable on the 

file representing the resource; 
based on the [[file]] operation on the file indicated by the permission bit, determining 

a resource operation that is performable on the resource; and 
granting the user the privilege of performing the resource operation on the resource 

only if the permission bit allows the [[file]] operation to be performed on the 

file representing the resource. 

7. (Original) A method as recited in Claim 1, the method further comprising the steps 
of: 

opening the file representing the resource; 

reading from the file representing the resource a permission indicator associated with 
a resource operation; and 
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enabling the user to perform the resource operation on the resource only if the 

permission indicator indicates that the user is allowed to perform the resource 
operation on the resource. 

8. (Original) A method as recited in Claim 1, wherein the step of representing the 
resource by a file stored in the Operating System filesystem comprises: 
creating the file representing the resource in the Operating System filesystem; and 
assigning an access value to a file attribute of the file representing the resource, the 

file attribute being used by the Operating System to manage file access, 
wherein the access value corresponds to a combination of a role and a 
resource. 

9. (Original) A method as recited in Claim 8, wherein the file attribute used by the 
Operating System to manage file access is a group identifier file attribute. 

1 0. (Currently Amended) A method for controlling access to a resource, the method 
comprising the steps of: 

receiving a user identifier from a user requesting access to the resource, wherein the 

user identifier is uniquely associated with the user; 
receiving a group identifier associated with a group to which the user belongs; 
based on the user identifier and the group identifier, determining a role associated 

with the user, wherein a role identifier is uniquely associated with the role; 
receiving a resource identifier associated with the resource, wherein the resource is 

represented by a file stored in the Op e rating Syst e m a filesystem of an 

Operating System ; 

constructing an access identifier on the basis of the role identifier and the resource 
identifier, wherein the access identifier conforms to the format of a group 
identifier file attribute that is used by the Operating System to manage file 
access; 

making an Operating System call to perform an operation on the file representing the 
resource, wherein the Operating System call uses the access identifier to gain 
access to the file representing the resource; and 

granting the user access to the resource only if the Operating System call successfully 
performs the operation on the file representing the resource. 
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1 1 . (Original) A method as recited in Claim 10, wherein the access identifier comprises: 
a first set of bits for storing the role identifier, wherein the role identifier represents a 

bitmap, each bit of the bitmap uniquely associated with a role of the user; and 
a second set of bits for storing the resource identifier. 

12. (Original) A method as recited in Claim 10, wherein the step of making an Operating 
System call to perform an operation on the file representing the resource comprises: 
storing the group identifier value of a group identifier attribute of an Operating 

System process; 

assigning the access identifier to the group identifier attribute of the Operating 
System process; 

calling an Operating System routine from the Operating System process to perform 
the operation on the file representing the resource, wherein the operation on 
the file representing the resource is performed only if the value of the group 
identifier attribute of the Operating System process matches the value of the 
group identifier file attribute of the file representing the resource; and 

resetting the group identifier attribute of the Operating System process to the stored 
group identifier value. 

13. (Original) A method as recited in Claim 10, wherein the step of making an Operating 
System call to perform an operation on the file representing the resource comprises 
comparing the access identifier to an identifier included in an Access Control List file 
attribute associated with the file representing the resource, wherein the Access 
Control List file attribute includes the identifiers of all users and all groups of users 
allowed to access the file representing the resource. 

14. (Original) A method as recited in Claim 10, wherein the operation on the file 
representing the resource is selected from a group consisting of opening the file, 
closing the file, deleting the file, reading from the file, writing to the file, executing 
the file, appending to the file, reading a file attribute, and writing a file attribute. 

15. (Original) A method as recited in Claim 10, the method further comprising the steps 
of: 
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reading a permission bit associated with the file representing the resource, wherein 

the permission bit corresponds to a file operation performable on the file 

representing the resource; 
based on the file operation indicated by the permission bit, determining a resource 

operation that is performable on the resource; and 
granting the user the privilege of performing the resource operation on the resource 

only if the permission bit allows the file operation to be performed on the file 

representing the resource. 

16. (Original) A method as recited in Claim 10, the method further comprising the steps 
of: 

opening the file representing the resource; 

reading from the file representing the resource a permission indicator associated with 

a resource operation; and 
granting the user the privilege of performing the resource operation on the resource 

only if the permission indicator indicates that the user is allowed to perform 

the resource operation on the resource. 

17. (Original) A method as recited in Claim 10, the method fiirther comprising: 
creating the file representing the resource in the Operating System filesystem; and 
assigning an access value to a group identifier file attribute of the file representing the 

resource, the group identifier file attribute being used by the Operating System 
to manage file access, wherein the access value is uniquely determined by the 
combination of a role and a resource. 

18. (Original) A system for controlling access to a resource connected to a network, the 
system comprising: 

a client host capable of accessing the resource in response to a request for access from 
a user; 

one or more processors executing an Operating System, wherein the Operating 

System operatively controls a filesystem that includes a number of files; and 

a computer readable medium having stored therein an Application Programming 
Interface, wherein the Application Programming Interface is logically 
interposed between the client host and the Operating System and comprises 



8 



AIYAGARI, Sen No. 10/698,498, GAU2161, Examiner Paul Kim 

REPLY TO OFFICE ACTION 

one or more routines including routines which, when executed by the one or 

more processors, cause the one or more processors to perform the steps of: 

creating and storing in the filesystem a file that represents the resource; 

receiving user-identifying information from the user requesting access to the 
resource, wherein the user-identifying information comprises a role 
associated with the user, wherein the role is determined from a user 
identifier uniquely associated with the user and from a group identifier 
associated with a group that includes the user; 

receiving a resource identifier associated with the resource; 

creating an access identifier based on the user-identifying information and the 
resource identifier, wherein the access identifier is formatted as a file 
attribute that is used by the Operating System to manage file access; 

calling the Operating System to perform an operation on the file using the 
access identifier to gain access to the file; and 

granting the user access to the resource only if the Operating System call 
successfully performs the operation. 

(Original) A system as recited in Claim 18, wherein the access identifier comprises: 
a first set of bits for storing a role identifier, wherein the role identifier is associated 

with the role; and 
a second set of bits for storing the resource identifier. 

(Original) A system as recited in Claim 18, wherein: 

the step of creating an access identifier based on the user-identifying information and 
the resource identifier comprises formatting the access identifier as a group 
identifier file attribute; and 
the step of calling the Operating System to perform an operation on the file 
representing the resource comprises: 

assigning the access identifier to a group identifier attribute of an 

Operating System process; and 
calling an Operating System routine from the Operating System 

process to perform the operation on the file representing the 
resource. 
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2 1 . (Original) A system as recited in Claim 1 8, wherein the operation on the file 

representing the resource is selected from a group consisting of opening the file, 
closing the file, deleting the file, reading from the file, writing to the file, executing 
the file, appending to the file, reading a file attribute, and writing a file attribute. 

22-38 (Canceled) 

39. (New) A computer-readable medium, for controlling access to a resource, carrying 
one or more sequences of instructions which, when executed by one or more 
processors, causes the one or more processors to perform the steps of: 

creating and storing in a filesystem of an Operating System a file that represents the 
resource; 

receiving user-identifying information from a user requesting access to the resource, 
wherein the user-identifying information comprises a role associated with the 
user, wherein the role is determined from a user identifier uniquely associated 
with the user and from a group identifier associated with a group that includes 
the user; 

receiving a resource identifier associated with the resource; 

creating an access identifier based on the user-identifying information and the 

resource identifier, wherein the access identifier is formatted as a file attribute 

that is used by the Operating System to manage file access; 
calling the Operating System to perform an operation on the file using the access 

identifier to gain access to the file; and 
granting the user access to the resource only if the Operating System call successfully 

performs the operation. 

40. (New) A computer-readable medium as recited in Claim 39, wherein the access 
identifier comprises: 

a first set of bits for storing a role identifier, wherein the role identifier is associated 

with the role; and 
a second set of bits for storing the resource identifier. 

10 
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41 . (New) A computer-readable medium as recited in Claim 39, wherein: 

the step of creating an access identifier based on the user-identifying information and 
the resource identifier comprises formatting the access identifier as a group 
identifier file attribute; and 
the step of calling the Operating System to perform an operation on the file 
representing the resource comprises: 

assigning the access identifier to a group identifier attribute of an 

Operating System process; and 
calling an Operating System routine from the Operating System 

process to perform the operation on the file representing the 
resource. 

42. (New) A computer-readable medium as recited in Claim 39, wherein the step of 
calling the Operating System to perform an operation on the file representing the 
resource comprises comparing the access identifier to an identifier included in an 
Access Control List file attribute associated with the file representing the resource, 
wherein the Access Control List file attribute includes the identifiers of all users and 
all groups of users allowed to access the file representing the resource. 

43. (New) A computer-readable medium as recited in Claim 39, wherein the operation on 
the file representing the resource is selected from a group consisting of opening the 
file, closing the file, deleting the file, reading from the file, writing to the file, 
executing the file, appending to the file, reading a file attribute, and writing a file 
attribute. 

44. (New) A computer-readable medium as recited in Claim 39, carrying one or more 
additional sequences of instructions which, when executed by one or more 
processors, further causes the one or more processors to perform the steps of: 
reading a permission bit associated with the file representing the resource, wherein 

the permission bit corresponds to a file operation performable on the file 
representing the resource; 
based on the file operation indicated by the permission bit, determining a resource 
operation that is performable on the resource; and 
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granting the user the privilege of performing the resource operation on the resource 
only if the permission bit allows the file operation to be performed on the file 
representing the resource. 

45. (New) A computer-readable medium as recited in Claim 39, carrying one or more 
additional sequences of instructions which, when executed by one or more 
processors, further causes the one or more processors to perform the steps of: 
opening the file representing the resource; 

reading from the file representing the resource a permission indicator associated with 

a resource operation; and 
enabling the user to perform the resource operation on the resource only if the 

permission indicator indicates that the user is allowed to perform the resource 

operation on the resource. 

46. (New) A computer-readable medium as recited in Claim 39, wherein the step of 
representing the resource by a file stored in the Operating System filesystem 
comprises: 

creating the file representing the resource in the Operating System filesystem; and 
assigning an access value to a file attribute of the file representing the resource, the 
file attribute being used by the Operating System to manage file access, 
wherein the access value corresponds to a combination of a role and a 
resource. 

47. (New) A computer-readable medium as recited in Claim 46, wherein the file attribute 
used by the Operating System to manage file access is a group identifier file attribute. 

48. (New) A computer-readable medium, for controlling access to a resource, carrying 
one or more sequences of instructions which, when executed by one or more 
processors, causes the one or more processors to perform the steps of: 

receiving a user identifier from a user requesting access to the resource, wherein the 

user identifier is uniquely associated with the user; 
receiving a group identifier associated with a group to which the user belongs; 
based on the user identifier and the group identifier, determining a role associated 

with the user, wherein a role identifier is uniquely associated with the role; 
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receiving a resource identifier associated with the resource, wherein the resource is 
represented by a file stored in a filesystem of an Operating System; 

constructing an access identifier on the basis of the role identifier and the resource 
identifier, wherein the access identifier conforms to the format of a group 
identifier file attribute that is used by the Operating System to manage file 
access; 

making an Operating System call to perform an operation on the file representing the 
resource, wherein the Operating System call uses the access identifier to gain 
access to the file representing the resource; and 

granting the user access to the resource only if the Operating System call successfully 
performs the operation on the file representing the resource. 

49. (New) A computer-readable medium as recited in Claim 48, wherein the access 
identifier comprises: 

a first set of bits for storing the role identifier, wherein the role identifier represents a 
bitmap, each bit of the bitmap uniquely associated with a role of the user; and 
a second set of bits for storing the resource identifier. 

50. (New) A computer-readable medium as recited in Claim 48, wherein the step of 
making an Operating System call to perform an operation on the file representing the 
resource comprises: 

storing the group identifier value of a group identifier attribute of an Operating 
System process; 

assigning the access identifier to the group identifier attribute of the Operating 
System process; 

calling an Operating System routine from the Operating System process to perform 
the operation on the file representing the resource, wherein the operation on 
the file representing the resource is performed only if the value of the group 
identifier attribute of the Operating System process matches the value of the 
group identifier file attribute of the file representing the resource; and 

resetting the group identifier attribute of the Operating System process to the stored 
group identifier value. 
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5 1 . (New) A computer-readable medium as recited in Claim 48, wherein the step of 
making an Operating System call to perform an operation on the file representing the 
resource comprises comparing the access identifier to an identifier included in an 
Access Control List file attribute associated with the file representing the resource, 
wherein the Access Control List file attribute includes the identifiers of all users and 
all groups of users allowed to access the file representing the resource. 

52. (New) A computer-readable medium as recited in Claim 48, wherein the operation on 
the file representing the resource is selected from a group consisting of opening the 
file, closing the file, deleting the file, reading from the file, writing to the file, 
executing the file, appending to the file, reading a file attribute, and writing a file 
attribute. 

53. (New) A computer-readable medium as recited in Claim 48, carrying one or more 
additional sequences of instructions which, when executed by one or more 
processors, further causes the one or more processors to perform the steps of: 
reading a permission bit associated with the file representing the resource, wherein 

the permission bit corresponds to a file operation performable on the file 

representing the resource; 
based on the file operation indicated by the permission bit, determining a resource 

operation that is performable on the resource; and 
granting the user the privilege of performing the resource operation on the resource 

only if the permission bit allows the file operation to be performed on the file 

representing the resource. 

54. (New) A computer-readable medium as recited in Claim 48, carrying one or more 
additional sequences of instructions which, when executed by one or more 
processors, further causes the one or more processors to perform the steps of: 
opening the file representing the resource; 

reading from the file representing the resource a permission indicator associated with 
a resource operation; and 
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granting the user the privilege of performing the resource operation on the resource 
only if the permission indicator indicates that the user is allowed to perform 
the resource operation on the resource. 

(New) A computer-readable medium as recited in Claim 48, carrying one or more 
additional sequences of instructions which, when executed by one or more 
processors, further causes the one or more processors to perform the steps of: 
creating the file representing the resource in the Operating System filesystem; and 
assigning an access value to a group identifier file attribute of the file representing the 
resource, the group identifier file attribute being used by the Operating System 
to manage file access, wherein the access value is uniquely determined by the 
combination of a role and a resource. 

(New) An apparatus for controlling access to a resource, comprising: 

means for creating and storing in an Operating System filesystem a file that 
represents the resource; 

means for receiving user-identifying information from a user requesting access to the 
resource, wherein the user-identifying information comprises a role associated 
with the user, wherein the role is determined from a user identifier uniquely 
associated with the user and from a group identifier associated with a group 
that includes the user; 

means for receiving a resource identifier associated with the resource; 

means for creating an access identifier based on the user-identifying information and 
the resource identifier, wherein the access identifier is formatted as a file 
attribute that is used by the Operating System to manage file access; 

means for calling the Operating System to perform an operation on the file using the 
access identifier to gain access to the file; and 

means for granting the user access to the resource only if the Operating System call 
successfully performs the operation. 

(New) An apparatus as recited in Claim 56, wherein the access identifier comprises: 
a first set of bits for storing a role identifier, wherein the role identifier is associated 
with the role; and 
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a second set of bits for storing the resource identifier. 

58. (New) An apparatus as recited in Claim 56, wherein: 

means for creating an access identifier based on the user-identifying information and 
the resource identifier comprises means for formatting the access identifier as 
a group identifier file attribute; and 
means for calling the Operating System to perform an operation on the file 
representing the resource comprises: 

means for assigning the access identifier to a group identifier attribute 

of an Operating System process; and 
means for calling an Operating System routine from the Operating 
System process to perform the operation on the file 
representing the resource. 

59. (New) An apparatus as recited in Claim 56, wherein the operation on the file 
representing the resource is selected from a group consisting of opening the file, 
closing the file, deleting the file, reading from the file, writing to the file, executing 
the file, appending to the file, reading a file attribute, and writing a file attribute. 



